Compliance Conversations: How Do I Determine What Processes Are Needed for a Management System?

Posted by Craig Thornton

This is part 1 of a series of compliance conversations around the management system and its processes.

In this first question we ask, how do I determine what processes are needed for a management system?

Check out the video here:


Video Transcription


How do I determine what processes are needed for a management system?


Andrew, IRM Systems, Australia

I'll break this into two parts.

First of all, you've got to look at what the standard you're trying to meet mandates.

If you're looking at the Food Safety Management System Standard, Safety, Environment, Quality, Information Security, it's the same thing.

All of those standards mandate that you must have certain processes in place;

  • Corrective Action
  • Management Review
  • Document Control
  • Internal Audit
  • all those kinds of exciting things.

The second stage of that, though, is you really need to identify your intended safety performance or from an information security perspective, how you intend to manage your information security risks.

Once you've determined what you're aiming to achieve, you then need to think about any additional processes required to achieve the performance you're aiming to achieve.


Mark, Business Basics, Australia

You need to look at:

  • the business that you have,
  • the complexity,
  • the areas of control.

If you've only got two or three people working for you, the number of processes that you're going to require is going to be very minimal.

If you've got 200 people working for you, the level of processes that you need to ensure that those processes are controlled, is going to be a lot higher.


Chris, FQM, United Kingdom

It's good practice to undertake a SWOT analysis when looking at your organisation to identify the different processes you undertake.

One of the key things to consider is "have you designed your management system and implemented your management system in order for it to comply with an international standard?"

If so, firstly, the international standard may define certain mandatory processes or procedures, which need to be documented. These will be clearly defined and you can put these in place to comply with the requirements of the standard aligned to your business activities.

However, it is important to consider what processes within your organisation, you want to define clearly to ensure that your business consistently meets these process activities, and is able to demonstrate compliance to them.

Often this is done using a risk-based approach.


Sean, Kaizen, New Zealand

The good thing about all the newer versions of the standards is they’re risk-based, meaning that you don't need to document all your processes and procedures for sake of documenting them.

You would assess the risk that each one of those processes and procedures imposes on your organisation and you document the ones that add value to your organisation.

There are certain documents within the standards that are mandatory, it is mentioned within the standard that this shall be documented, but as a general rule it's risk-based, so depending on the risks that they impose on your organisation, you may decide to include or exclude them from being formally documented.


John, Many Caps, New Zealand

Firstly, ISO is going to stipulate some mandatory documents and records, so that gives you a good start to say we have to have these.

After that, it's based on risk, how big a risk is that process in terms of impact for your business or your customers if it all goes wrong? In most cases, document it and keep it systemized.

Things you need to factor in;

  • impact on quality
  • impact on the customer
  • how complex it is
  • how much training is needed to do that?

Those sorts of things all help you determine what you document and what you don't.


Michael, Momentum Safety and Ergonomics, Australia

When we're looking at processes - this is a hard one because lots of businesses do lots of stuff, you might be lucky to have a business that has a fairly limited scope, but most of us do a fair few things.

Really, it's going to be a question of getting back and having a good look from start to finish at all your different products and the things that your customers would be wanting to know what you do.

For example, if you produce a product, I think you need to go right back to the start and look at things like;

  • purchasing of materials and
  • what outsourcing you're going to be using to kick the process off of creating this product.

The way I do it is, I work my way through the very start from design and conception, through to the end of when that product has been shipped off to the retailers or to market or your customers or whatever that might be.

There’s going to be a whole lot of things that you do in between, that are going to processes that need to be covered within this system.

If you're looking more at a service-based model, then it's going to be looking at what are the needs of your clientele, and what are going to be the solutions that you provide for them, and looking at how can we make sure that those solutions are matching up with the needs and what do we need to do to make that happen?

I know it's a very generic answer, but there are so many different ways of doing things out there. There are so many different things that people provide that we need to make sure that we've covered off on all of those things.

Now, as you're looking at those processes, there's going to be a whole lot of inputs coming in from different departments, different areas that make this thing happen, things like human resources, health and safety, those sorts of things along the way.


Nicholas, SRM, South Africa

The standard that you adopt, be it ISO 9001, 14000, 45000, 22000, whatever standard it may be, will also help define which processes within your organisation you look at.

An example of that would be the following:

  • ISO 9001 requires that you identify identification and traceability requirements:
    • You would then have a look at how that applies to the processes within your business.
    • If you adopt that standard, you're going to look at those business processes.
  • If you adopt ISO 45001, ISO 14001, it's going to apply to your entire business, but you're going to focus on different areas.
    • Identification and traceability is not as significant an issue so you'll identify and be able to trace equipment used for calibration or monitoring and measuring, but it doesn't have the same applicability as ISO 9001.

  1. The standard you are trying to meet will stipulate some mandatory documents and/or records.
  2. Do a SWOT analysis to identify the different processes your business does.
  3. Assess the risk that your processes and procedures impose on your organisation and document the ones that add value.
  4. Only document those processes and procedures that are of high risk to ensure consistency across your business


Tags: Management System, ISO, Compliance, Risk Management, QMS, integrated qhse manual, ISO45001, ISO Certification, Compliance Conversations